Answer the question
In order to leave comments, you need to log in
Is it ethical/legal to post descriptions of unpatched vulnerabilities on Habré?
The situation is this: I found one unpleasant feature in a popular web product. Its operation makes it quite easy to cause a denial of service under some circumstances.
I reported the problem to the developer and received the following response:
After developers' review, we believe this not to be applicable in most real use cases (and have seen none so far); however, we do believe security measures to prevent this could be improved, so we're keeping this open for future consideration.
Answer the question
In order to leave comments, you need to log in
After informing the developer and waiting enough time for them to patch the hole, you can do it without any remorse.
If they haven’t bothered to close the hole in a few days, then they don’t really need it.
Provided that the answer was received only yesterday, wait a week or two, then ask the developers to patch it up or not. If not, then warn that in a week you will publish data on the hole (a kind of kick to give them). And if they are patched up, then well done and you can publish without a twinge of conscience.
I think this is the most rational course of action.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question